This article from Network World brings up a couple of good points. The first one is that if you are taking family vacation pictures that are important to you, do it on a real camera for safekeeping and the second point is don’t let your 5-year-old play with your smartphone so she doesn’t wipe out important information or more likely, drop it in the toilet, thus rendering your device completely useless. In all seriousness, we are seeing the how BYOD is now starting to blur the lines of when our business and personal lives intersect and how we need to have well thought out policies put in place in advance of these mini-disasters (sorry losing personal pictures does not constitute a real disaster) that could actually impact a client relationship. What could have been put in place prior to this Mimecast executive incident is having only the corporate information wiped from his device and not his personal documents, pictures, contacts etc. but again this all needs to be put in place prior with your company’s key stakeholders deciding what can or cannot be left behind on a device should a violation of corporate policy be registered.
This will be an interesting week in terms of BYOD as two major conferences, CTIA in New Orleans and Citrix Synergy in San Francisco, are taking place and we expect much to come out of both shows dealing with how do we securely manage information that is being delivered to all of our devices. I’m sure that we will hear of many different types of devices beyond just the Smartphone, Notebook, Netbook, Tablet, Ultrabook and the many hybrids that will be on the market right after these events but regardless of form factor, does your company have policies in place to deal with the information that transmits or could be potentially stored on these devices that you haven’t even seen yet? Now is a good time to gear up on what your next steps are and if you can’t make these events, be sure to watch the live or recorded webcasts on where these industry’s are headed. This is a big week, so let me say in advance, Lets Go Mobile!
Mimecast CEO Peter Bauer recently found himself at the intersection of consumerization and IT management, falling victim to personal data loss as the result of the internal management policy he himself helped establish.
While on a family vacation in South Africa, Bauer’s 5-year-old daughter tried to use his smartphone. After she entered the incorrect PIN code five times, the corporate-installed remote wipe capability kicked in and Bauer lost all of the photos he had taken through the first half of the trip.
The frustration among end users whose personal information can be lost at the hands of their employers’ policy is one of the main challenges Bauer says Mimecast has seen as it continues to move forward with its young bring-your-own-device (BYOD) management policy. However, that frustration is both natural and necessary if IT is going to strike a compromise with employees, Bauer says.
“Some pretty key corporate information moves from the secure inner sanctum of your building onto a BYOD device, and if you don’t have a way of protecting that stuff, then you’re kidding yourself about having information security in place,” Bauer says.
Mimecast’s management team considered a partial wipe on employees’ personal devices, which would delete sensitive corporate email and documents but leave others, such as vacation photos, on the device. However, even photos could present a risk, as Bauer says he and his employees have been taking advantage of their smartphone cameras to capture information scribbled on whiteboards in meetings so it can be referenced later on. With the increasingly innovative uses for smartphones, Bauer considered this tighter policy the only secure way to enable productivity while mitigating risk.
At the recent DevConnections Conference in Las Vegas, Mimecast surveyed 500 IT professionals and administrators on BYOD, finding that while half consider access to personal devices a “productivity necessity,” another 21% said it has been a risk to their business. For another 26%, the perceived risk was enough to deny their employees the right to BYOD.
However, employees are likely to use whatever device suits them for work tasks regardless of their employers’ policies, Bauer says. That suggests both that consumerization is occurring in more organizations than the survey showed, Bauer says, and that those without a management policy are leaving themselves susceptible to information security risks.
As an email management vendor with its own mobile offerings, Bauer says Mimecast has a unique situation. Employees naturally use a broad range of devices to test for compatibility with their apps, as well as completing their own tasks. In order to support this environment while reducing risk, Mimecast’s BYOD policy includes a comprehensive list of approved devices employees can use for work purposes, including iOS, Android, BlackBerry and Windows Phone. As a protective measure, when employees want to use a personal device for work, they have to register it with the IT team so the remote wipe capability can be synced.
“As companies are having to expose their IT services broadly on the internet so that all these devices that users are trying to access from can actually get to the IT applications, portals, email services or run business applications, the access control is enforced on a per-device basis,” Bauer says. “So you can bring your own but it doesn’t mean that you can just go and use somebody else’s device or pick one up without actually going through a registration process with a company.”
Bauer says Mimecast’s BYOD policy is not written in stone, and is “going to be a work in progress.” As new mobile management tools come to market, and mobile app developers continue to cater to the increasingly mobile worker, management policies in general will need to bend accordingly.
It comes as no surprise, then, that 74% of DevConnections attendees responding to Mimecast’s survey said the biggest challenge in the age of BYOD is managing information security. When it comes to enterprise mobility, the most effective approach will be to keep mobile devices on a short leash until further trust can be justified, Bauer says.
“We need to start with an approach like this and then see how it works, and then modify it once we’ve seen more,” Bauer says. “Generally, it’s about having tighter controls initially and then loosening them up a little bit when we understand more of the implications.”
Colin Neagle covers emerging technologies, privacy and enterprise mobility for Network World. Follow him on Twitter https://twitter.com/#!/ntwrkwrldneagle and keep up with the Microsoft https://twitter.com/#!/microsoftsubnet , Cisco https://twitter.com/#!/ciscosubnet and Open Source community blogs. Colin’s email address is email@example.com.